Microsoft Fixes 34 Bugs In Record 13-Patch Update
Altogether, eight of the 13 patches repaired critical errors in every version of Windows and Internet Explorer, including critical bugs in the SMB and one deemed "important" in the Microsoft FTP Service, which allows hackers to attack vulnerable systems remotely with malicious code, typically to steal information.
The patches address a total of 34 vulnerabilities in Microsoft Windows, Internet Explorer, Office, SQL Server, Microsoft Forefront, Silverlight and Microsoft Developer Tools, as well as third-party ActiveX components, among others.
One of the most significant patches repaired a total of three critical vulnerabilities -- including a zero-day flaw -- in the SMB version 2 implementation. SMB is the Microsoft file-sharing protocol, affecting Windows 7, Vista and Server 2008, as well as XP, 2000 and Server 2003.
Microsoft released a security advisory for the SMB flaw in September after researchers published exploit code, prior to notifying Microsoft about the vulnerability, Redmond said. So far, Microsoft has maintained that it has yet to see active attacks in the wild exploiting the SMB glitch. Should hackers get their hands on the exploit code, users could be vulnerable to remote code execution designed to steal data from their PCs.
In addition, the October update shores up an error ranked "important" in the FTP Service in numerous versions of the Microsoft Internet Information Services. Microsoft released a security advisory in September warning users of "limited attacks" exploiting the flaw.
Despite its "important" ranking, the vulnerability could allow attackers to launch malicious code to infiltrate a company's FTP server running on IIS 5.0 or launch DoS attacks on systems running the FTP Service on IIS 5.0, 5.1, 6.0 or 7.0. However, security experts contend the FTP vulnerability is mitigated by the fact that the majority of FTP Servers are open-source versions and not Microsoft's FTP Service.
Security experts said that one of Microsoft's most far-reaching and serious patches is a cumulative fix for IE, plugging four security holes that could pave the way for hackers to launch attacks by luring victims to a maliciously crafted Web site, typically through some kind of social engineering scheme delivered via e-mail or social networking site.
Security experts maintain that the IE patch is the one users should install first to prevent attack.
"It's all versions of IE. Everything is vulnerable," said Wolfgang Kandek, chief technology officer for Qualys. "It's very widely used. We also think it should be easily patchable."
Kandek said that another critical patch with wide reach is the update repairing vulnerabilities in GDI+, a protocol that enables applications to use graphics and formatted text on video screens and printed mediums. Like IE, the GDI flaw affects a slew of applications, including all versions of Windows, IE, Microsoft Office, SQL Server, Developer Tools and Microsoft Forefront. A hacker could easily infect victims by enticing them to download a malicious image file or by tricking them into viewing a maliciously crafted image on an infected Web site.
Unlike IE, the GDI flaw might be more challenging to patch, due to the fact that it affects almost every system and application ubiquitously used in the enterprise, experts said.
In addition, Microsoft issued a cumulative update for an actively exploited ActiveX vulnerability common to an array of ActiveX controls. The flaw, occurring in the Active Template library, could leave users susceptible to remote code execution if they view a malicious Web page on IE running the affected ActiveX control.
Included in Microsoft's security bulletin were two patches -- one in Windows Media Runtime and the other in Windows Media Player -- repairing several critical media-streaming vulnerabilities. Users who run Media Runtime could unknowingly download information-stealing malware if they stream a maliciously crafted media file or receive malicious streaming content from a Web site or media streaming application. Meanwhile, users could also become infected if they open a malicious ASF file while running Windows Media Player 6.4.
The 13-patch update is a record for Redmond. Thus far, Microsoft's record has been 12 patches in one month, which was set in both February 2007 and late October 2008. And security experts speculate that the significant patch load is due to the fact that Microsoft is likely playing catch-up following the barrage of vulnerabilities that were disclosed at hacker conferences such as BlackHat and DefCon over the summer.
"It could be due to the conferences. Security researchers work extra hard and it may have caused a bit of a traffic jam," Kandek said.
Microsoft also included five updates for glitches designated with the slightly less severe ranking of "important," plugging holes in FTP Service, Windows CryptoAPI, Indexing Service, Windows Kernel and Local Security Authority Subsystem Service.